Kenya: Office of the Data Protection Commissioner adopted guidance on data protection impact assessment

On 28 November 2023, the Office of the Data Protection Commissioner (ODPC) adopted the "Guidance Note on Data Protection Impact Assessment (DPIAs)." The guidance provides a framework for data controllers and data processors to conduct DPIAs in compliance with the Data Protection Act, 2019. DPIAs are required when processing activities may result in high risks to the rights and freedoms of data subjects. The guidance outlines the steps for carrying out DPIAs, including identifying and assessing the risks associated with data processing, evaluating the necessity and proportionality of the processing, and implementing appropriate measures to mitigate risks. The guidance also specifies when organisations must consult with the Data Protection Commissioner, particularly in cases where high risks are identified that cannot be mitigated.